Reference Case Number: FOI11655
Freedom of Information: Right to know request:
Thank you for your email of 18 September 2024, concerning cyber breach incidents. Additionally thank you for your email of 11 October in which you clarified your request. The full text of your emails can be found in Annex A below.
FCA response:
Questions 1 and 2
We can confirm that we hold information for this request as firms report material operational incidents to the FCA under the FCA’s SUP 15.3 General Notification Requirements and pursuant to Principle 11 of the FCA’s Principles for Businesses. We record this information centrally. This includes incidents that are a result of cyber-attacks.
In considering our response, please bear in mind that the figures provided below:
- Do not include incidents at FCA regulated firms that have not been reported directly to the FCA; and
- Are accurate as at 21/10/2024 and may be subject to change due to ongoing investigations of incidents.
Additionally, please note that we have interpreted:
- ‘Cyber breach incidents’ mean operational incidents reported to the FCA by FCA regulated firms where the root cause was reported to be the result of a cyber incident. For awareness, within the definition of cyber incident, we would include incidents categorised as cyber-attacks on a third party that has impacted the firm, DDOS, malware/malicious code, phishing/credential compromise, ransomware, and spoofing.
- ‘Data breach’ means ‘a confirmed incident in which the confidentiality of company or personal data is compromised or breached’. This does not mean that in every case personal/company data was exfiltrated/stolen.
Finally, in relation to personal data, the Information Commissioners Office (‘ICO’) is the UK’s regulatory authority responsible for upholding information rights in the public interest, promoting openness by public bodies, and data privacy for individuals. The Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR) do not require firms to report personal data breaches or compromises to the FCA; however, firms should consider reporting material operational incidents to us pursuant to the general notification requirements contained in SUP 15.R. We are not required to report personal data breaches or compromises regarding firms to the ICO – this is the responsibility of the firms.
Turning now to your questions:
- In the period covering 1 January 2023 to 31 December 2023, the FCA received 216 incident notifications from FCA regulated firms where the root cause was reported to be the result of a cyber-attack.
Of the 216 reported:
- 106 related to a cyber-attack against a third-party provider; and
- 45 identified a data breach although, as above, it should be noted that GDPR does not require firms to report data breaches or compromises to the FCA and, as such, this data may be incomplete.
No cyber incidents in 2023 have resulted in an enforcement investigation being opened against a firm.
- In the period covering 1 January 2024 to 18 September 2024, the FCA received 101 incident notifications from FCA regulated firms where the root cause was reported to be the result of a cyber-attack.
Of the 101 reported:
- 31 related to a cyber-attack against a third-party provider; and
- 15 identified a data breach although, as above, please note that GDPR does not require firms to report data breaches or compromises to the FCA and as such, this data may be incomplete.
No cyber incidents in 2024 have resulted in an enforcement investigation being opened against a firm.
It may be of interest to you to note that in 2023, we took enforcement action relating to cybersecurity against Equifax Ltd – for more details please see the following Final Notice.
Questions 3 to 7
We do not hold this information because firms are not required to report this to us.